Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
4
Replies

TACACS access issue within VRF on cisco XR 4.3.4

Eric Guo
Level 1
Level 1

‎11-02-2015 12:42 PM

hi all, 

we would like change our TACACS access path from global RT into VRF RT, but we are failed for access TACACS server as shown below error message.

~~~~~~~~~~~~~~~

tacacs/tacacs_lt 0/RSP0/CPU0 t10 No appropriate server found - 'TACACS' detected the 'fatal' condition 'Server not found' 

~~~~~~~~~~~~~~~

we could ping 192.168.0.1 within vrf MGMT from loopback 1, but no sure why it is saying no route to tacacs server. 

ping vrf MGMT 192.168.0.1 source 10.10.18.99-successful

here is configuration for tacacs setup, could someone share with your thought? 

=======================================

interface Loopback1
vrf MGMT
ipv4 address 10.10.18.99 255.255.255.255
!

aaa group server tacacs+ tttt
server 192.168.0.1
vrf MGMT
!
aaa authorization exec default group tttt local
aaa authentication login default group tttt local

tacacs source-interface Loopback1 vrf MGMT
tacacs-server host 192.168.0.1 port 49
key 7 xxxxxxxx
!

control-plane
management-plane

out-of-band
vrf MGMT
interface Loopback1
allow SSH peer
address ipv4 192.168.0.0/24

allow SNMP
!

line default
exec-timeout 50 0
access-class ingress VTYACL-IN
!

thanks, 

Eric

Labels:
0 Helpful
4 Replies 4

xthuijs
Cisco Employee
Cisco Employee

‎11-08-2015 03:55 AM

hi eric,

you have the right config there. Possibly, you want to make the server private in the server group

and remove the public definition.

if that doesnt do the trick.

kick the aaa and tacacs process and capture some tac debugging and mainly io to see what tableID is picked for the server.

cheers!

xander

0 Helpful

Eric Guo
Level 1
Level 1
In response to xthuijs

‎11-09-2015 05:58 AM

Thanks Xander for vaildating.  

Yes, we reset tacacs server process, and it was working after around 8 hours later. I still have no idea what is the reason. 

thanks,

Eric 

0 Helpful

xthuijs
Cisco Employee
Cisco Employee
In response to Eric Guo

‎11-09-2015 06:03 AM

hi eric,

yeah in XR 434 the config sequence is a bit "sensitive". So when things are not configured/committed in the right order, the tacacs process "assumes" for instance the default routing table, because it didn't see the vrf from the server group.

so things continue to work in the wrong tableID until that process restart which effectively re-evaluates the config.

that deficiency is taken care of in 51 onwards btw.

cheers!

xander

0 Helpful

Eric Guo
Level 1
Level 1
In response to xthuijs

‎11-09-2015 06:24 AM

thanks Xander, good to know. Eric

0 Helpful
Customers Also Viewed These Support Documents